View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions fail2ban apache-hacks
Log in to Ask a Question

fail2ban apache-hacks

development

Last night I was playing with blocking visitors that are probing for lists of web apps.

Of course, after I got the rules running, there were no attempts… Today while at work, I popped on the server to see if it had been triggered and still nothing… and while watching, one popped up.

2012-05-30 12:33:16,148 fail2ban.actions: WARNING [apache-hacks] Ban 67.207.139.63

Triggered by:

site44.errors:[Wed May 30 12:33:15 2012] [error] [client 67.207.139.63] File does not exist: /www/vhosts/site44/admin
site44.errors:[Wed May 30 12:33:15 2012] [error] [client 67.207.139.63] File does not exist: /www/vhosts/site44/admin
site44.errors:[Wed May 30 12:33:15 2012] [error] [client 67.207.139.63] File does not exist: /www/vhosts/site44/admin

Very cool…

I'm sure there is more than one way to do this.

I just compiled a list of probes that I've seen and created entries like you see below.

I could clean up the list with some wildcards etc… but I just wanted to see it work.

Filter looks like:

[Definition]
failregex = .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/~admin$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/3rdparty$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/admin$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/bbs$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/cpadmin$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/cpadmindb$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/cpanelmysql$
...</host></host></host></host></host></host></host>

with the entry in jail.local:

[apache-hacks]
enabled = true
port  = http,https
filter  = apache-hacks
logpath = /www/logs/*errors
maxretry = 2

The current list (growing) is attached. I haven't checked, but it might be possible to just have it parse the list and do the same thing but I am not very familiar with Fail2Ban yet.

http://p.linode.com/6753

In general, I typically use non-standard locations for web apps to begin with so any attempts at these are bogus to start with.

9 Replies

When testing fail2ban regex changes you can use fail2ban-regex to see what the new pattern would match in your existing logfiles. That way you don't have to wait for the next attempt to see if it is working the way you expect.

fail2ban-regex

Yes…

Actually, I stumbled upon that when I wrote the rule. And it tested out fine, but seeing it actually do it, was impressive. Originally I had the jail.local entry for it not pointing correctly, so it was not seeing all of the vhost logs.

Is this an IP address ban? I had considered this, but thought that I would be blocking [wi-fi addresses or home computers] that were taken over. I know that the University of Alabama in Birmingham here has some open WiFi hotspots I'm not eager to block, for example. I have been tolerating the -so far as I can tell - harmless Apache intrusion attempts up until now. Should I reconsider?

James

yes. You can however white list IP and ip blocks.

I use it for monitoring dovecot, exim and other logs as well.

For example a client who has problems setting up new outlook users may trigger the block because of too many failed attempts via iMAPP or POP3… but if you white list the IP, it won't happen.

@Dweeber:

yes. You can however white list IP and ip blocks.

Thank you kindly, Mr. Dweeber. Is you middle name really "aka"?

James

Actually, Also Known As….

Kevin Also Known As Dweeber? That's a pretty long name. Must people are lucky to just have one middle name, let alone three.

I had a great great uncle with 3 middle names

Actually in real life I have 6 names. A first, a last and 4 middle names but that is a different long story.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct